From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pablo.de.lara.guarch@intel.com>
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by dpdk.org (Postfix) with ESMTP id 0E6191B170
 for <users@dpdk.org>; Tue,  9 Jan 2018 11:00:14 +0100 (CET)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
 by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 09 Jan 2018 02:00:13 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.46,335,1511856000"; 
   d="scan'208";a="9299140"
Received: from irsmsx101.ger.corp.intel.com ([163.33.3.153])
 by orsmga008.jf.intel.com with ESMTP; 09 Jan 2018 02:00:12 -0800
Received: from irsmsx108.ger.corp.intel.com ([169.254.11.167]) by
 IRSMSX101.ger.corp.intel.com ([169.254.1.46]) with mapi id 14.03.0319.002;
 Tue, 9 Jan 2018 10:00:11 +0000
From: "De Lara Guarch, Pablo" <pablo.de.lara.guarch@intel.com>
To: "Avi Cohen (A)" <avi.cohen@huawei.com>, "Gowda, Sandesh"
 <sandesh.gowda@intel.com>, "users@dpdk.org" <users@dpdk.org>
Thread-Topic: IPSEC-SECGW sample application
Thread-Index: AdOHy7KaBzLhC8jTTQWybyU8LedmBwAkRJQAAAZCeTAAChXREAABZA3AACJZv+AAAM8msA==
Date: Tue, 9 Jan 2018 10:00:11 +0000
Message-ID: <E115CCD9D858EF4F90C690B0DCB4D8976CC6AA86@IRSMSX108.ger.corp.intel.com>
References: <B84047ECBD981D4B93EAE5A6245AA36101594AF3@FRAEML521-MBX.china.huawei.com>
 <EDE1359882508442A045AB0CF959E30B70AEC69D@PGSMSX102.gar.corp.intel.com>
 <B84047ECBD981D4B93EAE5A6245AA36101594BEC@FRAEML521-MBX.china.huawei.com>
 <EDE1359882508442A045AB0CF959E30B70AEC7B8@PGSMSX102.gar.corp.intel.com>
 <B84047ECBD981D4B93EAE5A6245AA36101594C58@FRAEML521-MBX.china.huawei.com>
In-Reply-To: <B84047ECBD981D4B93EAE5A6245AA36101594C58@FRAEML521-MBX.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzRkYWNkZGItMTRmOC00M2ZmLTk1ODYtZjQ4ZTdlNzM1NjA0IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6InJuUjdZMnZueU9RTkExVjFUVHV3cUhoWTVrN3RQVG1cL1NsRTZybVJBMlVjPSJ9
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.0.116
dlp-reaction: no-action
x-originating-ip: [163.33.239.182]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-users] IPSEC-SECGW sample application
X-BeenThere: users@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK usage discussions <users.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/users>,
 <mailto:users-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/users/>
List-Post: <mailto:users@dpdk.org>
List-Help: <mailto:users-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/users>,
 <mailto:users-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2018 10:00:15 -0000

Hi Avi,

> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi Cohen (A)
> Sent: Tuesday, January 9, 2018 9:39 AM
> To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> Subject: Re: [dpdk-users] IPSEC-SECGW sample application
>=20
> Thank you Sandesh
> I'm trying to run the l2fwd-crypto sample app.  but  got this error msg :
> "No crypto devices available
> EAL: Error - exiting with code: 1
>  Cause: Failed to initialize crypto devices"
>=20
> My setup include 2 physical ports (intel x540)  bound to dpdk - these Nic=
s
> are ipsec offload capable.

L2fwd-crypto does not support inline IPSec. For this application,
you can only use crypto devices (under crypto folder).

Pablo

>=20
> The cmd-line I use is:
> ./l2fwd-crypto -l 0-1 -n 4 -- -p 0x3 --cdev_type HW --chain CIPHER_HASH -=
-
> cipher_op ENCRYPT --cipher_algo aes-cbc --cipher_key
> 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f --auth_op GENERATE --
> auth_algo aes-xcbc-mac --auth_key
> 10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f
>=20
> Best Regards
> Avi
>=20
>=20
> > -----Original Message-----
> > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > Sent: Monday, 08 January, 2018 7:23 PM
> > To: Avi Cohen (A); users@dpdk.org
> > Subject: RE: IPSEC-SECGW sample application
> >
> > Hi Avi,
> >
> >  My response inline.
> >
> > > 1.  I see in the documentation that this app. Supports only
> > > **complete offload**.
> > >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > > that the SW will  add/remove the ESP headers How can I run this app
> > > with
> > x540 nic ?
> >
> > The SA rule "type" field lets you choose the kind of offload.
> > Following is the description from the ipsecgw app guide:
> >
> > <type>
> >
> > Action type to specify the security action. This option specify the SA
> > to be performed with look aside protocol offload to HW accelerator or
> > protocol offload on ethernet device or inline crypto processing on the
> > ethernet device during transmission.
> > Optional: Yes, default type no-offload Available options:
> > lookaside-protocol-offload: look aside protocol offload to HW
> > accelerator
> > inline-protocol-offload: inline protocol offload on ethernet device
> > inline-crypto-offload: inline crypto processing on ethernet device
> > no-offload: no offloading to hardware
> >
> > Correct your SA rules to have the desired "type" field.
> >
> > The ipsecgw application must work fine for QAT PCIe as well as
> > Ethernet NIC with IPSec feature provided the VFs as correctly bound to
> DPDK.
> >
> >
> > >  2. I added support for ESP header and trailer insertion for
> > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > command line to run the application for this mode ?
> > > is vdev required ?
> >
> >  The ipsecgw application must work fine for QAT PCIe as well as
> > Ethernet NIC with IPSec feature provided the VFs as correctly bound to
> DPDK.
> > Please try running a more basic L2Fwd Crypto application on your NIC
> > to make sure the Crypto feature works.
> >
> >  Regards,
> >  Sandesh
> >
> >
> >
> > > -----Original Message-----
> > > From: Avi Cohen (A) [mailto:avi.cohen@huawei.com]
> > > Sent: Monday, January 08, 2018 10:05 PM
> > > To: Gowda, Sandesh <sandesh.gowda@intel.com>; users@dpdk.org
> > > Subject: RE: IPSEC-SECGW sample application
> > >
> > >
> > >  Hi  Sandesh  [I added one more question]  Thank you - I already
> > > understood that.
> > > 1.  I see in the documentation that this app. Supports only
> > > **complete offload**.
> > >  But Intel NICS x540 and 82599 which supports ipsec offload requires
> > > that the SW will  add/remove the ESP headers How can I run this app
> > > with
> > x540 nic ?
> > >
> > >  2. I added support for ESP header and trailer insertion for
> > > inline-protocol- offload for intel x540 Can you tell me the exact
> > > command line to run the application for this mode ?
> > > is vdev required ?
> > >  Best Regards
> > >  Avi
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Gowda, Sandesh [mailto:sandesh.gowda@intel.com]
> > > > > Sent: Monday, 08 January, 2018 10:47 AM
> > > > > To: Avi Cohen (A); users@dpdk.org
> > > > > Subject: RE: IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > > Hi Avi,
> > > > >
> > > > >  The application classifies the ports as Protected and Unprotecte=
d.
> > > > > Thus,
> > > > traffic
> > > > > received on an Unprotected or Protected port is consider Inbound
> > > > > or
> > > > Outbound
> > > > > respectively.
> > > > > ( Refer :
> > > > > http://dpdk.org/doc/guides/sample_app_ug/ipsec_secgw.html
> > > > > )
> > > > >
> > > > >  The Packets sent on a  Unprotected network requires Encryption
> > > > > whereas packets on Protected Network can be plain text.
> > > > >  This is the expected behavior.
> > > > >
> > > > >  Regards,
> > > > >  Sandesh
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Avi
> > > > > Cohen
> > > > > (A)
> > > > > Sent: Sunday, January 07, 2018 9:12 PM
> > > > > To: users@dpdk.org
> > > > > Subject: [dpdk-users] IPSEC-SECGW sample application
> > > > >
> > > > >
> > > > > Hello
> > > > > I'm using the DPDK17.11 and running the sample app. Ipsec_secgw.
> > > > > I have 2 ports port 0 is protected and port 1 is unprotected
> > > > > Traffic is received
> > > > in
> > > > > the unprotected and should be sent to the protected  port  for
> > > > > encryption But the traffic processing for the traffic received
> > > > > in the unprotected port is going through the
> **process_pkts_inbound ** .
> > > > > I expect that the traffic should be directed to the
> > > > **process_pkts_outbound**
> > > > > [where ESP headers are added etc.] Can someone help ?
> > > > >
> > > > >
> > > > > This is the config file:
> > > > >
> > > > > #SP rules
> > > > > sp ipv4 in esp protect 5 src 1.1.1.2/32 dst 1.1.2.10/32 #SA
> > > > > rules sa in 5 cipher_algo aes-128-cbc cipher_key
> > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ auth_algo sha1-hmac auth_key
> > > > > 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \ mode ipv4-tunnel src
> > > > > 172.16.1.5 dst 172.16.2.5 \ type inline-protocol-offload port_id
> > > > > 0 #Routing rules rt ipv4 dst 172.16.2.5/32 port 0 rt ipv4 dst
> > > > > 1.1.2.0/24 port 0 rt ipv4 dst
> > > > > 1.1.1.0/24 port 0
> > > > >
> > > > >
> > > > > and this is the command line to run the applic:
> > > > >
> > > > > ./ipsec-secgw -l 1 -n 2 -- -p 0x3 -P -u 0x2
> > > > > --config=3D"(0,0,1),(1,0,1)" -f ../ep1.cfg
> > > > >
> > > > >
> > > > > Best Regards
> > > > > Avi